Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PAN-OS 8.0 Decryption Issue with Firefox and Chrome

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS 8.0 Decryption Issue with Firefox and Chrome

L3 Networker

After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.

IE 11 en Edge still works.

 

For example when i go to www.google.com,

 

Chrome displays: www.google.com uses an unsupported protocol.
                               ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

Firefox:  Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP

 

In the PA logs:  Session end Reason = decrypt-error.

 

PA continues the tradition to break decryption on new major releases 😉

Does anyone else have same issue?

28 REPLIES 28

L3 Networker

What version were you running in your lab prior to moving to 8.0? It sounds like the same problem I had when I moved from 7.0.x to 7.1.x where in 7.1 they changed the default behavior in app-id and I had to make sure my outbound rules from "application-default" to "any".

-Brad

Cyber Elite
Cyber Elite

I'm planning on upgrading my lab this weekend and can look at it then; I'm not sure how many people even have 8.0 on their lab enviroments yet. 

Before 8.0 it was running 7.1.7, en decypting fine.

The decryption security rule was already set at "any"

But thanks for for the suggestion.

.

L2 Linker

PanOS-8.0 is going to have a large number of issues, I remember upgrading to one of the beta versions a couple months back and it broke everything on the box. It continued to go through a reboot cycle until I was finally able to catch is correctly to jump into maint mode. It wasn't the simple you have 5 seconds to type "maint", it would jump past that 9/10 times and just restart the cycle all over again. 😞

 

It seemed to break because there was some config on there from 7.1 and it did not accept anything. I had to go and factory reset a 200 to have no configuration whatsoever before putting 8.0 on it.

 

 

- Peter

 

 

L3 Networker

It finally works now but its still strange.

 

What did i do:

It al VM so i reverted the snapshot to the previous  (working) 7.1.7 snapshot.

For panos-8 you need to modify your VM "hardware" increase mem to 6.5 Gb and the disk size needs to be 60 GB

But the last time i only increased the memory, so for this time i also increase the disk from 40 to 60GB

 

After the disksize increase i upgraded to 8.0 again.

Then started the vm100 and that was it for that day, i did not test it or use it.

Today(1 day later) i want to examine the decryption issue further, but its started working immediately.

Hi,

 

I have the same issue and its affecting all google domains on Chrome and Firefox but the weird thing its working fine on Internet Explorer!

 

Do I need to downgrade to resolve this?

 

Regards,

Sharief

Regards,
Sharief

If the VM that you are using (if using a VM) meets requirements, then yes you will likely need to revert to get things working again. I've seen that sometimes the upgrade itself causes an issue and simply reinstalling 8.0 gets things working again. Seeing as 8.0 is a brand new major software version I would advise that most people stick with 7.1.* as 8.0 is not yet a recommended release. 

First: Open a case with TAC

 

I did some more research after my issue. 

Immediately after installing or rebooting a panos 8.0 firewall this issue is present.

 

The issue disappeared by just waiting  x hours whitout changing anything.

 Yet i don't no what the minimum time for x is. 

In my test i waited approx 12 hours

 

 

On some new models PANOS 8 is the only version available.

Try using different browser.

Had same issue here in LAB. FF returned an error while IE ran just fine. See screenshots.

I assume both browsers try to establish a different SSL connection.

 

 

Schermafbeelding 2017-03-08 om 13.44.14.pngSchermafbeelding 2017-03-08 om 13.42.52.png

Niets veranderen aan de PA een aan aantal uren laten draaien en opeens werkt het.

Na een reboot van de PA weer hetzelfde verhaal.

L3 Networker

PAN-OS 8.0.1 issue still exist.

L0 Member

I can confirm I installed 8.1 on 3 units, all of them had the same issue, No Chrome (google sites) working. Spent a few hours trying different rules and fixes, nothing worked. Then I read the post about waiting X hours, so I waited until the next morning and everything works again, great.  Hopefully it does not return after a reboot and the cycle starts again, X hours for things to work again.

 

  • 12669 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!